CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
CubeCart prior to version 6.7.0 contained an Authenticated Arbitrary File Upload vulnerability in the REST API File Manager endpoint. This allows any holder of an API key with files:rw permission to upload PHP files to the images/source/ directory, where they are executed by the web server.
CubeCart prior to version 6.7.0 has an Authenticated Server-Side Template Injection (SSTI) vulnerability in multiple modules, including Email Templates and Documents. The application unsafely evaluates user-supplied input through the Smarty template engine.
Podatność na Garmin WDU (w wersjach 1.4.6 i 5.0) umożliwia atak typu cross-site origin WebSocket hijacking. Atakujący może przejąć pełną kontrolę nad urządzeniem, wykorzystując WebSockety do zarządzania ustawieniami, w tym ustawieniami administracyjnymi.
In versions 3.0.7 and earlier, there is a Cross-Site Request Forgery (CSRF) vulnerability in MISP Modules that allows an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The issue was due to the home blueprint being exempted from CSRF protection.
In versions prior to 6.2.4, the fast-jwt library has a critical authentication-bypass vulnerability that allows unauthenticated attackers to forge arbitrary JWTs accepted as authentic.
CKAN, a data management system, had a vulnerability in datastore_search_sql that allowed attackers to bypass authorization and gain access to private resources and PostgreSQL system information. The issue is fixed in versions 2.10.10 and 2.11.5.
CKAN, an open-source data management system, had a vulnerability in datastore_search_sql that allowed attackers to inject SQL to gain access to private resources and PostgreSQL system information. This vulnerability is fixed in versions 2.10.10 and 2.11.5.
CVE-2026-0257 describes authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software, allowing an attacker to bypass security restrictions and establish an unauthorized VPN connection.
In the vm2 library for Node.js prior to version 3.11.3, a vulnerability allows catching a host exception using the yield* expression inside an async generator. Closing the generator with the return function causes the value to be awaited, and exceptions thrown in the then call are caught by the runtime and passed as the next value to the yield* iterator, enabling sandbox escape and arbitrary command execution.
A vulnerability in the vm2 library for Node.js allows sandbox escape. The issue is fixed in version 3.11.2.
A vulnerability in the vm2 library for Node.js prior to version 3.11.2 allows sandbox escape via the neutralizeArraySpeciesBatch method, which can invoke a getter on the array prototype, exposing objects from the outside. Attackers can obtain host objects and the Function object, enabling arbitrary command execution on the host system.
In vm2 prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration, including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with unrestricted require settings and executes arbitrary OS commands on the host.
A vulnerability in the vm2 library for Node.js allows an attacker to bypass the sandbox and access arbitrary object prototypes. The issue is fixed in version 3.11.0.
A vulnerability in the vm2 library for Node.js (versions 3.9.6 to 3.10.5) allows attacker-controlled JavaScript running in the sandbox to mutate host prototypes such as Object.prototype, Array.prototype, and Function.prototype. This occurs because the bridge exposes mutable proxies for real host-realm intrinsic prototypes and forwards sandbox writes to host objects using ReflectSet() and ReflectDefineProperty().
A vulnerability in vm2 prior to 3.11.0 allows bypassing the NodeVM builtin allowlist when the 'builtin' module is allowed (including via the '*' wildcard). Sandboxed code can use Module._load() to load any module in the host context, leading to remote code execution.
In the vm2 library for Node.js prior to version 3.11.0, there is a vulnerability that allows obtaining the host object. An attacker can use various methods, e.g., via HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom) and escape the sandbox.
A vulnerability in JupyterLab before version 4.5.7 allows arbitrary JupyterLab commands to be executed via a crafted button in an HTML cell. The CommandLinker listens for click events on the entire document and executes commands without verifying the element's origin.
A vulnerability exists in iControl REST that allows a highly privileged, authenticated attacker with at least the Manager role to create configuration objects that enable running arbitrary commands.
Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key.
ELECOM wireless LAN access point devices contain an OS command injection in processing of the username parameter. If processing a crafted request, an arbitrary OS command may be executed.

